As I write this blog on an early morning train to London, it has given me time to reflect on the last few weeks of conversations I’ve been having with MSPs. One of the advantages of being a Product Specialist at Brigantia is that I’m spending all day speaking to different MSPs about a whole range of different topics. Whether this be around the increase in knowledge of DMARC among end clients, the increase in demand for dark web monitoring, or even just general challenges facing MSPs. What these conversations also show me are the trends in attacks we’re currently seeing.
Cyberattacks trends
Usually, trends come in short bursts, and often fizzle out after a short time as companies catch up in their security configuration. However, in recent weeks, I’ve had numerous MSPs coming to me all saying the same thing – their customers’ Microsoft accounts have been victim to multi-factor authentication (MFA) bypass attacks.
MFA bypass attacks
For those unaware, MFA bypass attacks are an attack method threat actors use to gain access to an account through bypassing the MFA. This can be done in a variety of ways, including:
Social engineering
This involves getting a user to provide the MFA prompt code to the threat actor, usually via a phone call.
MFA fatigue
When there is an MFA ‘approval’ that needs to happen on the users end, the threat actor ‘prompt bombs’ the user with multiple requests in succession to wear the user out and give in to approve the request.
SIM swapping
A far rarer method of bypassing MFA, but if a user is validating MFA via a phone call or SMS, a threat actor may try and convince the mobile carrier to migrate their SIM to a different device, one that’s being controlled by the threat actor.
Session hijacking
Cookies often store authentication data, they do this, so a user doesn’t get an MFA prompt every time they login, usually to try and improve user experience when they login to the same account over a short time frame. However, threat actors can steal these cookies and essentially bypass the MFA prompt and gain access to a user account.
All the above methods have been in use for some time now, but the most common theme coming up in my recent conversations with MSPs all relate back to one method – session hijacking.
What can be done about MFA bypassing?
Session hijacking as well as the other methods of attack do raise the question of how effective MFA actually is if it can be so easily bypassed by threat actors. Whilst there is no definitive answer to that question, it is certainly a topic can be explored further in a blog entirely on its own. However, it should be noted that MFA for the most part is still a useful tool that at the very least makes threat actors’ lives harder in accessing an account and it’s always worth remembering just because the lock on a door can be picked, doesn’t mean you shouldn’t still lock it.
So, what can actually be done about MFA bypassing? Here are a few of the main configurations to look out for:
- Block automatic external forwarding – you can either do this using the blunt instrument tool in Microsoft 365 or create a transport rule with exceptions to certain external users/domains.
- Enforce conditional access for foreign regions (this requires a minimum Business Premium licence)
- Ensure user accounts do not have admin privileges, or that any admin accounts have a mailbox attached
The increase in attacks we’re seeing is certainly concerning, and maybe indicates that threat actors have found an easier method of being able to enact session hijacking, however how you respond to these attacks can make a huge difference in the outcome.
You’re victim to an MFA bypass attack, what next?
There is no guarantee that the cybersecurity measures you put in place can prevent an attack. So, although it’s vital to protect at every angle possible, you also need to know what to do if an attack takes place.
What we’d recommend you do after an MFA bypass attack has been identified is the following:
Get the threat actor out of the account! - end sign in sessions, reset MFA tokens and reset the password. This must be the first port of call otherwise the threat actor that has compromised the account has free reign.
Check for any newly consented to applications – once an attack takes place, an attacker may leave a backdoor into the organisation via a third-party application.
Look for newly created mailbox rules – often threat actors will set up auto forward rules outside of the organisation, or alternatively forward emails into an RSS Feed.
Use Octiga - the Microsoft 365 security vulnerability management solution can be used to go through all previous logs to find what a threat actor looked at or changed.
Securing M365 with Octiga
All the conversations I’ve had in recent weeks have been prompted by MSPs looking at, and subsequently using Octiga across their client base to ensure security for Microsoft365. It’s crucial that M365 configuration and ongoing log monitoring is optimised across your client base to ensure that attacks are reduced to a minimum, and the fallout from any successful attack is negligible.
If you would like a demo on Octiga, please click the link below:
https://calendly.com/brigantiapartners-elliotwilkie/octiga-demo-1-hour
Or find out more about our portfolio of products here.
